In today's information age, protecting the security of information or data in computer systems or networks can be challenging. Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are commonly implemented in order to protect the security of information or data in computer systems or networks. IDSs and IPSs monitor network or system activity, and indentify, report, and/or attempt to prevent malicious or suspicious activities. However, conventional systems for securing the computer systems and networks still have vulnerabilities. For example, conventional systems for securing the computer systems and networks may still be vulnerable to internal threats, such as tunneling.
Tunneling is a when a first network protocol is encapsulated inside a second protocol. For example, a Secure Shell (SSH) tunnel is when an encrypted tunnel is created through an SSH protocol connection. In order to create an SSH tunnel, a user may configure her computer to forward a specific local port to a port on a remote machine. Once the SSH tunnel has been created, the user may connect to the specific local port to access the service on the remote network.
Tunneling provides a means for a user to circumvent security features an organization may have configured for a computer system or network that the organization is controlling. For example, by tunneling a user can prevent communications the user sends to and receives from the Internet (e.g., the user's web session or web traffic), from being controlled, monitored, or even visible to others, including the organization controlling the system or network from which the user is running her computer. Therefore, it is understood that tunneling creates a high risk scenario for the organization. For example, by creating a tunnel, a user may access restricted content that the organization has restricted the user from accessing. Further, by creating a tunnel, a user may transmit or otherwise disseminate confidential information, such as confidential information about the organization or their customers, with the organization being unaware of the transmission or dissemination.
Therefore, it would be beneficial to be able to detect and analyze tunneling (e.g., encrypted tunneling) in order to proactively address possible data leaks and other potentially detrimental behavior to the organization. Hence, it would be advantageous to have a system and method which detects tunneling (e.g., encrypted tunneling) in a computer system or network. Further, it would be advantageous to have a system and method which detects and analyzes tunneling (e.g., encrypted tunneling) in a system or computer network.